Total character count of Active Directory Groups that SEE Device Control user belongs to exceeds 1,000 character limit of SEE DC SQL database. This value is recorded in the SEE DC database whenever a user requests a new or updated policy from the server and if this character limit is exceeded then the user based policy will fail to apply or update. The character limit is calculated by adding the user's current AD groups numerically via CSV format (without spaces) and is normally not an issue as for example a Win 2008 Server has approximately 30-40 AD groups by default depending on the roles enabled. Any new groups added beyond the default will be assigned a higher numerical value so in rare cases when a customer has an AD environment where the users belong to a large number of custom made groups then the 1,000 character limit may be exceeded. The approximate number of groups needed to exceed this limit varies depending on whether the AD groups have a single, double or triple digit numerical value so the exact number will be between 250-278.

Resolution:

This issue was resolved in SEE Device Control 8.2.8 and later versions as the SQL database character limit was raised from 1,000 to 4,096 in DC 8.2.8. Upgrading the affected client machines to DC 8.2.8 or later should allow them to start receiving user based policies normally. Please see the attached Release Notes for Symantec Endpoint Encryption Device Control 8.2.8 for details.